14

I am trying to create a Cognito FederatedIdentityPool with CognitoUserPool as one Authentication Provider. Creating UserPool was easy enough:

    const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
    const userPoolClient = new cognito.CfnUserPoolClient(this, 'RandomQuoteUserPoolClient', {
      generateSecret: false,
      userPoolId: userPool.userPoolId
    });

However I am not sure how to connect this to an Identity Pool:

    const identityPool = new cognito.CfnIdentityPool(this, 'MyIdentityPool', {
      allowUnauthenticatedIdentities: false,
      cognitoIdentityProviders: ?????
    });

Based on IdentityProvider API Documentation it looks like there is a propert cognitoIdentityProviders, however it accepts an array of cdk.Token/CognitoIdentityProviderProperty.

Now I tried creating a CognitoIdentityProviderProperty object and pass it cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId }], but I am getting following exception:

 1/2 | 09:48:35 | CREATE_FAILED        | AWS::Cognito::IdentityPool   | RandomQuoteIdentityPool Invalid Cognito Identity Provider (Service: AmazonCognitoIdentity; Status Code: 400; Error Code: InvalidParameterException; Request ID: 4d6d579a-6455-11e9-99a9-85159bc87779)
        new CdkWorkshopStack (/Users/cdk/lib/cdk-workshop-stack.ts:46:26)
        \_ Object.<anonymous> (/Users/cdk/bin/cdk-workshop.ts:7:1)
        \_ Module._compile (module.js:653:30)
        \_ Object.Module._extensions..js (module.js:664:10)
        \_ Module.load (module.js:566:32)
        \_ tryModuleLoad (module.js:506:12)
        \_ Function.Module._load (module.js:498:3)
        \_ Function.Module.runMain (module.js:694:10)
        \_ startup (bootstrap_node.js:204:16)
        \_ bootstrap_node.js:625:3

I even tried copying id from AWS Console and hardcoding it here, still same error.

  1. Can someone please help me in explaining how can I configure Authentication Providers in CfnIdentityPool.
  2. Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?
c2tarun
  • 776
  • 2
  • 9
  • 27
  • 1
    what you're missing is the property: providerName So, `cognitoIdentityProviders` should be something like this: `cognitoIdentityProviders: [{ clientId: userPoolClient.userPoolClientId, providerName: userPool.userPoolProviderName}]` – CCarlos Oct 11 '19 at 20:10

3 Answers3

38

This is the way I managed to mimic the default configuration created through the aws console when you create an identity pool with a user pool as identity provider. It includes some other features apart from what you have asked (allows unauthenticated access and specify the password policy), but is easy to modify to your needs.

    const userPool = new cognito.UserPool(this, 'MyUserPool', {
        signInType: SignInType.EMAIL,
        autoVerifiedAttributes: [
            UserPoolAttribute.EMAIL
        ]
    });
    const cfnUserPool = userPool.node.defaultChild as cognito.CfnUserPool;
    cfnUserPool.policies = {
        passwordPolicy: {
            minimumLength: 8,
            requireLowercase: false,
            requireNumbers: false,
            requireUppercase: false,
            requireSymbols: false
        }
    };
    const userPoolClient = new cognito.UserPoolClient(this, 'MyUserPoolClient', {
        generateSecret: false,
        userPool: userPool,
        userPoolClientName: 'MyUserPoolClientName'
    });
    const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
        allowUnauthenticatedIdentities: false,
        cognitoIdentityProviders: [{
            clientId: userPoolClient.userPoolClientId,
            providerName: userPool.userPoolProviderName,
        }]
    });
    const unauthenticatedRole = new iam.Role(this, 'CognitoDefaultUnauthenticatedRole', {
        assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
            "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
            "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "unauthenticated" },
        }, "sts:AssumeRoleWithWebIdentity"),
    });
    unauthenticatedRole.addToPolicy(new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
            "mobileanalytics:PutEvents",
            "cognito-sync:*"
        ],
        resources: ["*"],
    }));
    const authenticatedRole = new iam.Role(this, 'CognitoDefaultAuthenticatedRole', {
        assumedBy: new iam.FederatedPrincipal('cognito-identity.amazonaws.com', {
            "StringEquals": { "cognito-identity.amazonaws.com:aud": identityPool.ref },
            "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" },
        }, "sts:AssumeRoleWithWebIdentity"),
    });
    authenticatedRole.addToPolicy(new PolicyStatement({
        effect: Effect.ALLOW,
        actions: [
            "mobileanalytics:PutEvents",
            "cognito-sync:*",
            "cognito-identity:*"
        ],
        resources: ["*"],
    }));
    const defaultPolicy = new cognito.CfnIdentityPoolRoleAttachment(this, 'DefaultValid', {
        identityPoolId: identityPool.ref,
        roles: {
            'unauthenticated': unauthenticatedRole.roleArn,
            'authenticated': authenticatedRole.roleArn
        }
    });

Why is there a UserPool and CfnUserPool? What is difference between them and which one is supposed to be used?

UserPool is a high-level representation of the resource and is the prefered way to work but not all the properties are implemented yet. CfnUserPool (an any Cfn prefixed class) is a low-level representation that maps to a Cloudformation resource. You can use both when the high-level class don't fulfill your necessities, as in the example.

Daniel Birowsky Popeski
  • 8,752
  • 12
  • 60
  • 125
soycabanillas
  • 605
  • 5
  • 11
3

I was able to figure our how to attach UserPool to Identity Pool

    const userPool = new cognito.CfnUserPool(this, 'MyCognitoUserPool')
    const userPoolClient = new cognito.CfnUserPoolClient(this, 'MyCognitoUserPoolClient', {
      generateSecret: false,
      userPoolId: userPool.userPoolId
    });

    const identityPool = new cognito.CfnIdentityPool(this, 'MyCognitoIdentityPool', {
      allowUnauthenticatedIdentities: false,
      cognitoIdentityProviders: [{
        clientId: userPoolClient.userPoolClientId,
        providerName: userPool.userPoolProviderName
      }]
    });

Still struggling with attaching Role to IdentityPool and don't know the difference between CfnUserPool and UserPool. However, this question can marked as partially resolved.

c2tarun
  • 776
  • 2
  • 9
  • 27
  • 1
    userPoolClientId no longer exists as a property on the CfnUserPoolClient object :/ – frank Jul 22 '19 at 06:24
  • 2
    @franck you can get the id by using `ref` instead – CCarlos Oct 11 '19 at 20:26
  • Sorry @CCarlos would you mind explaining a bit more what you mean by using ref? – Andreas Oct 30 '19 at 19:30
  • 3
    @Andreas yep. What I mean is that, if you're trying to get your userpool's id, you can get it through a property called `ref` which is a read-only property and it is available until your pool has been created. At least this works in CDK 1.12 (I haven't updated to 1.15 yet) – CCarlos Nov 04 '19 at 19:59
3

The CDK must have changed this was created. I got it working with the example from @CCarlos:

const pool = new cognito.CfnUserPool(this, "cdkUserpool", {
  userPoolName: "cdkUserPoolName",
  usernameAttributes: ["email"],
});
const client = new cognito.CfnUserPoolClient(this, "cdkClient", {
  userPoolId: pool.ref, // <--- This part has changed.
  explicitAuthFlows: ["ADMIN_NO_SRP_AUTH"],
  generateSecret: false,
  readAttributes: [
    "preferred_username",
    "website",
    "email",
    "name",
    "zoneinfo",
    "phone_number",
    "phone_number_verified",
    "email_verified",
  ],
  writeAttributes: ["name", "zoneinfo", "phone_number"],
});
justintimeza
  • 1,064
  • 4
  • 8